How to respond to ransomware

LAST EDITED:
PUBLISHED:

How your company can protect itself from ransomware and what to do in the event of an attack. ​

Ransomware attacks have been on the rise, with the Asia Pacific region alone experiencing a 168% increase in ransomware incidents in 2021 compared to the previous year (Check Point Research, 2020). Not only are ransomware attacks becoming more common, but they are targeting organizations across all sectors and sizes, from large multinationals to Small-Medium Enterprises (SMEs) and startups.

Ransomware attackers target an organization’s data, holding it hostage through encryption and requiring payment for it to be restored. Ransomware affects millions of businesses globally and is currently growing at unprecedented rates — both in terms of the likelihood of a ransomware attack against your organization and of the average ransom amount requested.

With the average ransom demand averaging USD 180,000, hackers are always on the lookout for digital open doors. It is crucial for organizations of all sizes to be informed of the cyber risks they face and build resilience.

In this article, we look at how your company can protect itself from ransomware and what to do in the event that you experience an attack.

How to mitigate cyber risk

Whilst it is impossible to fully eliminate the risk of cyber attacks, steps can be taken to significantly reduce the chances that these may happen.  

For example, keeping systems up-to-date is critical for ensuring the attacker has minimal opportunity to leverage vulnerabilities in your computing environment, and deploying Endpoint Detection and Response (EDR) services puts the highly specialized responsibility of monitoring for alerts or unwanted behaviour on the network into the hands of professional analysts backed by proven systems and procedures.

Additionally, companies should train their staff on how to spot and react to phishing attempts, which often lead to ransomware attacks, as this helps stop attackers at the front door and converts staff from being passive liabilities to active defenders.

Simple steps to protect your organization from ransomware

Pre-breach security is key in minimizing the chances that your company is compromised. This can be done through simple practices such as tightened security measures, full disk encryption, a strong password policy including multi-factor authentication (MFA), and the principle of least privilege.

​Tightening security measures should be done by understanding and enabling the full range of security features already available in their computing environment. This can be done through a security settings monitor such as that included in Pandarecon™, which checks that endpoints across the company are appropriately set up to carry out their necessary actions, without leaving unnecessary open doors.

When it comes to platforms, passwords are the first line of protection against any unauthorized access to your personal computer. The stronger the password, the higher level of protection your computer has from malicious software and hackers.

​Alongside full disk encryption, MFA is the most simple and effective way to confidently identify a user, protect their personal and organizational data, and prevent identity theft.

The primary benefit of MFA lies in enhancing your organization's security by requiring users to authenticate their identity with more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties.

Additionally, companies should apply the principle of least privilege across all company platforms. This principle works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing this principle helps contain compromises to their area of origin, stopping them from spreading to the system at large.

Finally, having a clear incident response (IR) plan, including a good cyber insurance policy which offers expert digital forensics and incident response (DFIR) services and management support in the event of a cyber attack, enables teams to react in a controlled and proven manner, saving precious time and resources following an attack.

Alert Symbols

Ransomware incident response

Step 1: Disconnect or shut down your computing devices

Should you suspect or know that you are under attack from ransomware, you can either disconnect or power down all devices on the network.

Disconnecting affected computing device(s) from the network will prevent the malware from spreading to or encrypting other devices in the network, thus limiting the potential damage, and maintaining the maximum amount of forensic data.

However, the ransomware will continue to encrypt files on infected devices. Powering down all devices stops the ransomware from encrypting further files, which can be vital for the organization’s continuation of business as usual but comes at the risk of losing forensic information. Do not switch on any further devices, as this will allow the ransomware to spread further.

It is crucial that you document everything that happens and all your actions from the moment you find out about an attack. You can do this by:

  • Taking extensive notes regarding information displayed on screen (photos and screenshots are preferable)
  • Key dates and times
  • Hostnames
  • Bitcoin accounts
  • Email addresses

All this information is used during the investigation to reconstruct the exact timeline of events, pinpoint the first known compromise, and track communications with the attackers.

Step 2: Contact your trusted IR team

The sooner IR specialists can intervene in a live crisis situation, the higher the chances of successfully defeating the attackers and recovering hostage data. IR specialists are trained to mitigate the effects of an incident in a timely and organized manner, including analysing the intrusion, containing the impact, investigating the root cause, and remediating the issue with maximum efficiency and minimal business interruption.

Upon being contacted, the IR team collects key information about the organization’s requirements, payment expectations, goals, and deadlines by which business operations must resume. Specialists then request information about the first known compromise and the exact timeline of events to support their digital forensics investigations.

As timely response is critical in the first hours of a ransomware attack, Blackpanda recommends IR planning to ensure all response terms are agreed upon prior to an incident. Such agreements are often best delivered either as part of a comprehensive cyber insurance policy (where IR planning can be acquired at a discount) or through a prepaid IR retainer if you do not qualify for insurance.

The ransomware defence process by IR specialists proceeds in two parallel streams to ensure the most rapid and effective response possible. On one side, the technical team works to secure the system and recover as many files as possible; on the other, crisis managers run ransom negotiations, aid in creating secure payment accounts, and ensure legal compliance.

Step 3A: Technical response

Blackpanda incident responders carry out a variety of highly complex procedures to contain and eradicate the malware. These include:

Network security

Running a trusted Anti-Virus tool, or Microsoft Windows Defender is only adequate for simple virus protection and firewalling; however, ransomware is an advanced threat with the ability to bypass these safeguards via a range of entry vectors (existing software vulnerability, email phishing, and more). To make up for this, you will require Endpoint Detection and Response (EDR) tools such as SentinelOne with the ability to perform a more advanced in-depth scan of your environment. Importantly, you should take this step on all computers in your enterprise. At this stage, IR specialists are able to provide guidance on what needs to happen next in terms of network segregation, physical device actions, and more.

Eradication and loss mitigation

Upon being notified of an attack, the IR team will work fast to quarantine the ransomware, recovering as much data and as many digital assets as possible. Next, they will also conduct digital forensics to attempt to reverse engineer the malware and continue their data recovery efforts. Our experienced ransomware specialists may also be able to identify and retrieve decryption keys from known ransomware databases to unlock data without resorting to paying the attackers.

Proof of life

The IR team will try to decrypt files independently, while taking steps to obtain a decryption key from the attackers. In 2020, 17% of ransom payers did not receive a working key to unlock encrypted data. For this reason, a crucial part of the IR team’s work is also to assess the authenticity of decryption keys provided by the attackers through verified “proof of life” exercises.

Recovery

The IR team will ensure that the network is secured while concurrently decrypting the files, in order to prevent the same or other attackers from exploiting any vulnerabilities and deploying another ransomware. Equipped with the correct key, IR specialists will help decrypt all data, restore system health, and ensure that the malware and its root cause are fully eradicated.

Step 3B: Crisis management

A crucial part of ransomware incident response is crisis management, which comprises all the financial, legal and PR aspects of cyber incident response. This includes:

Network security ransom negotiation

For some organizations, a ransomware payment is a business decision first and foremost. For others, a prompt IR is the best way to minimise the chances of having to pay a ransom, which can be seen as a last resort - only to be done if all efforts to decrypt the hostage files have been unsuccessful. In the eventuality that the IR team is unable to independently decrypt the data, they can help organizations facilitate the ransom negotiation process. Negotiation efforts serve to achieve improved outcomes and provide the time and intelligence necessary for organizational leadership to make informed decisions.​

Attackers are also often not very responsive, as they may be conducting ransomware attacks on many organizations simultaneously. In these situations, IR specialists can help companies in successfully contacting the attackers and conducting negotiations.

Blackpanda IR specialists have a deep understanding of different ransomware tools and techniques, the actors and motives behind an attack, as well as the competencies of the attackers. During the negotiation process, all messages sent to the attackers by Blackpanda are carefully crafted to match the customer’s writing style and tone, whilst considering the attacker’s disposition, to help facilitate the best outcome.

Ransom payment facilitation

Once the negotiation has come to an accord, the IR team guides the organization through the payment of the ransom (if required and legal), setting up cryptocurrency payment accounts for the organization – which can be a lengthy and complicated process - and ensuring that all transactions are fully verified, transparent, secure, and auditable.

Organizations should also be aware that on 1st October 2020, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued a globally enforceable advisory regarding ransom payments to sanctioned entities, with associated penalties of up to USD 1 million and 20 years in prison. Blackpanda fully supports an organization’s due diligence efforts throughout the decision-making process, working closely with international law enforcement partners such as the US Secret Service and the Singapore and Hong Kong Police Force to identify threat actors and sanctioned-entity status. Other governments are also contemplating mandatory reporting of ransom payments over certain amounts[1], rendering facilitation services your best option to obtain expert advice and ensuring you are not liable for any regulatory breaches should you choose to pay a ransom.

Reputational damage mitigation

Falling victim to a cyberattack can catastrophically damage an organization’s reputation. Attackers may threaten to publish sensitive information or company secrets, and press about the attack can cause clients to feel that their data is unsafe with the compromised organization and distrust it in the future. To mitigate reputational damage in the wake of a ransomware attack, it is vital that appropriate public relations activity is activated immediately.

The IR team at Blackpanda works with trusted partners who can promptly support organizations in communicating with media and press outlets. This way, the public will know that the compromised organization is responsibly conducting the appropriate procedures to protect their clients’ information.

Reporting and compliance

Depending on your specific industry, geography, and relevant regulations, you may be required to report the attack to authorities, shareholders, and/or customers. Your IR team should also maintain thorough documentation of the incident in compliance with insurance and other regulatory requirements (such as MAS Reporting Requirements), which can be a complicated and time-consuming process for organizations to conduct independently. Working with trusted people will help you through this particularly stressful phase; we ensure that you know who to involve and have them ready to react.

Protect yourself from future attacks

The IR team works as trusted advisors with partnered entities to ensure that your business has taken all necessary preventive measures to avoid the recurrence of this attack type. This includes the deployment of a Managed Detection and Response (MDR) system and the creation of backups that are disconnected from the live network. There are valuable lessons to be learned from each attack. Follow the 7 Steps listed below in Protect & Prevent and refer to the guides on the Blackpanda website to learn more.

– – ​

Falling victim to ransomware can be a stressful and emotional time, and an experienced IR company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout.

Blackpanda is Asia’s Premier Digital Forensics and Incident Response provider, and we support our clients by conducting regular compromise assessments to check for active threats in the network, preparing tabletop exercises and incident response plans to boost employee awareness, and responding to incidents promptly with Special Forces Expertise.

To learn more about our ransomware preparation services, or to report a breach, contact Blackpanda.

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.